Gate issue and PR controls by policy

Status	File	+	-
M	`docs/internal/issues.md`	9	0
M	`docs/internal/pr-review.md`	6	0
M	`internal/web/handlers/repo/issues.go`	28	12
M	`internal/web/handlers/repo/labels_milestones.go`	18	10
M	`internal/web/handlers/repo/pulls.go`	12	0
M	`internal/web/templates/repo/issue_view.html`	20	5
M	`internal/web/templates/repo/labels.html`	2	2
M	`internal/web/templates/repo/milestones.html`	2	2
M	`internal/web/templates/repo/pull_view.html`	9	5

docs/internal/issues.mdmodified

  model: any logged-in user may open or comment on issues in a public
  repo, while private repos require `read` access.
++The issue page is capability-driven:
++
++- The comment box appears only when `policy.Can(issue:comment)` allows
++  and the issue is not locked, unless the viewer is triage+.
++- Close/reopen appears for triage+ users and for the issue author.
++- Labels, assignees, milestones, and lock controls appear only for the
++  matching triage-level policy action. Public participants should not
++  see forms that only lead to 403s.
++
  ## Cross-reference indexing
  `internal/issues/references.go::insertReferencesFromBody` parses

docs/internal/pr-review.mdmodified

  The settings/branches handler now also accepts
  `required_review_count` and `dismiss_stale_reviews_on_push`.
++The PR template hides review-request, review-submit, inline-comment,
++and thread-resolve controls unless `policy.Can(pull:review)` allows
++the viewer. Merge and close controls are similarly driven by
++`pull:merge` and `pull:close` decisions. Public viewers who can read a
++PR should not see forms that only lead to 403s.
++
  ## Required-review gate
  `internal/pulls/review/required.go::Evaluate` is the authoritative

internal/web/handlers/repo/issues.gomodified

  			authorName = u.Username
+ 		}
+ 	}
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
++	pdeps := policy.Deps{Pool: h.d.Pool}
++	repoRef := policy.NewRepoRefFromRepo(row)
++	stateRef := repoRef
++	if issue.AuthorUserID.Valid {
++		stateRef.AuthorUserID = issue.AuthorUserID.Int64
++	}
++	canCommentAction := policy.Can(r.Context(), pdeps, actor, policy.ActionIssueComment, repoRef).Allow
++	canCommentThroughLock := policy.HasRoleAtLeast(r.Context(), pdeps, actor, repoRef, policy.RoleTriage)
  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
  	_ = h.d.Render.RenderPage(w, r, "repo/issue_view", map[string]any{
--		"Title":      issue.Title + " · " + row.Name,
++		"Title":                 issue.Title + " · " + row.Name,
--		"Owner":      owner.Username,
++		"Owner":                 owner.Username,
--		"Repo":       row,
++		"Repo":                  row,
--		"Issue":      issue,
++		"Issue":                 issue,
--		"AuthorName": authorName,
++		"AuthorName":            authorName,
--		"Comments":   cs,
++		"Comments":              cs,
--		"Events":     events,
++		"Events":                events,
--		"Labels":     labels,
++		"Labels":                labels,
--		"Assignees":  assignees,
++		"Assignees":             assignees,
--		"AllLabels":  allLabels,
++		"AllLabels":             allLabels,
--		"Milestones": milestones,
++		"Milestones":            milestones,
--		"CSRFToken":  middleware.CSRFTokenForRequest(r),
++		"CanComment":            canCommentAction && (!issue.Locked || canCommentThroughLock),
++		"CanSetIssueState":      policy.Can(r.Context(), pdeps, actor, policy.ActionIssueClose, stateRef).Allow,
++		"CanEditIssueLabels":    policy.Can(r.Context(), pdeps, actor, policy.ActionIssueLabel, repoRef).Allow,
++		"CanEditIssueAssignees": policy.Can(r.Context(), pdeps, actor, policy.ActionIssueAssign, repoRef).Allow,
++		"CanEditIssueMilestone": policy.Can(r.Context(), pdeps, actor, policy.ActionIssueLabel, repoRef).Allow,
++		"CanLockIssue":          policy.Can(r.Context(), pdeps, actor, policy.ActionIssueClose, repoRef).Allow,
++		"CSRFToken":             middleware.CSRFTokenForRequest(r),
  	})
+ }

internal/web/handlers/repo/labels_milestones.gomodified

  		return
+ 	}
  	labels, _ := h.iq.ListLabels(r.Context(), h.d.Pool, row.ID)
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
++	canManage := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueLabel, policy.NewRepoRefFromRepo(row)).Allow
  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
  	_ = h.d.Render.RenderPage(w, r, "repo/labels", map[string]any{
--		"Title":     "Labels · " + row.Name,
++		"Title":          "Labels · " + row.Name,
--		"Owner":     owner.Username,
++		"Owner":          owner.Username,
--		"Repo":      row,
++		"Repo":           row,
--		"Labels":    labels,
++		"Labels":         labels,
--		"CSRFToken": middleware.CSRFTokenForRequest(r),
++		"CanManageIssue": canManage,
++		"CSRFToken":      middleware.CSRFTokenForRequest(r),
  	})
+ }
  		return
+ 	}
  	ms, _ := h.iq.ListMilestones(r.Context(), h.d.Pool, row.ID)
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
++	canManage := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionIssueLabel, policy.NewRepoRefFromRepo(row)).Allow
  	w.Header().Set("Content-Type", "text/html; charset=utf-8")
  	_ = h.d.Render.RenderPage(w, r, "repo/milestones", map[string]any{
--		"Title":      "Milestones · " + row.Name,
++		"Title":          "Milestones · " + row.Name,
--		"Owner":      owner.Username,
++		"Owner":          owner.Username,
--		"Repo":       row,
++		"Repo":           row,
--		"Milestones": ms,
++		"Milestones":     ms,
--		"CSRFToken":  middleware.CSRFTokenForRequest(r),
++		"CanManageIssue": canManage,
++		"CSRFToken":      middleware.CSRFTokenForRequest(r),
  	})
+ }

internal/web/handlers/repo/pulls.gomodified

  		"Tab":        tab,
  		"CSRFToken":  middleware.CSRFTokenForRequest(r),
+ 	}
++	viewer := middleware.CurrentUserFromContext(r.Context())
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
++	pdeps := policy.Deps{Pool: h.d.Pool}
++	repoRef := policy.NewRepoRefFromRepo(row)
++	stateRef := repoRef
++	if pr.IAuthorUserID.Valid {
++		stateRef.AuthorUserID = pr.IAuthorUserID.Int64
++	}
++	data["CanReviewPull"] = policy.Can(r.Context(), pdeps, actor, policy.ActionPullReview, repoRef).Allow
++	data["CanMergePull"] = policy.Can(r.Context(), pdeps, actor, policy.ActionPullMerge, repoRef).Allow
++	data["CanSetPullState"] = policy.Can(r.Context(), pdeps, actor, policy.ActionPullClose, stateRef).Allow
++	data["CanReadyPull"] = policy.Can(r.Context(), pdeps, actor, policy.ActionPullCreate, repoRef).Allow
  	for k, v := range extras {
  		data[k] = v
+ 	}

internal/web/templates/repo/issue_view.htmlmodified

        </div>
        {{ end }}
--      {{ if .Viewer.ID }}
++      {{ if .CanComment }}
        <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/comments" class="shithub-comment-form">
          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
          <label>
            <textarea name="body" rows="6" maxlength="65535" required></textarea>
          </label>
          <div class="shithub-form-actions">
++          {{ if .CanSetIssueState }}
            {{ if eq (printf "%s" .Issue.State) "open" }}
            <button type="submit" formaction="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/state" name="state" value="closed" class="shithub-button">Close issue</button>
            {{ else }}
            <button type="submit" formaction="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/state" name="state" value="open" class="shithub-button">Reopen issue</button>
            {{ end }}
++          {{ end }}
            <button type="submit" class="shithub-button shithub-button-primary">Comment</button>
          </div>
        </form>
++      {{ else if .CanSetIssueState }}
++      <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/state" class="shithub-comment-form">
++        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
++        <div class="shithub-form-actions">
++          {{ if eq (printf "%s" .Issue.State) "open" }}
++          <button type="submit" name="state" value="closed" class="shithub-button">Close issue</button>
++          {{ else }}
++          <button type="submit" name="state" value="open" class="shithub-button">Reopen issue</button>
++          {{ end }}
++        </div>
++      </form>
++      {{ else if .Viewer.ID }}
++        {{ if .Issue.Locked }}<p class="shithub-issue-signedout">This conversation is locked.</p>{{ end }}
        {{ else }}
        <p class="shithub-issue-signedout"><a href="/login">Sign in</a> to comment.</p>
        {{ end }}
          {{ if .Labels }}
            {{ range .Labels }}<span class="shithub-label" style="background-color: #{{ .Color }}">{{ .Name }}</span>{{ end }}
          {{ else }}<p class="shithub-muted">None yet</p>{{ end }}
--        {{ if .Viewer.ID }}
++        {{ if .CanEditIssueLabels }}
          <details>
            <summary>Edit labels</summary>
            <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/labels">
          {{ if .Assignees }}
            {{ range .Assignees }}<a href="/{{ .Username }}">@{{ .Username }}</a>{{ end }}
          {{ else }}<p class="shithub-muted">No one assigned</p>{{ end }}
--        {{ if .Viewer.ID }}
++        {{ if .CanEditIssueAssignees }}
          <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/assignees" class="shithub-assignee-form">
            <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
            <input type="text" name="username" placeholder="username" required>
            {{ $mid := .Issue.MilestoneID.Int64 }}
            {{ range .Milestones }}{{ if eq .ID $mid }}<a href="/{{ $.Owner }}/{{ $.Repo.Name }}/milestones">{{ .Title }}</a>{{ end }}{{ end }}
          {{ else }}<p class="shithub-muted">No milestone</p>{{ end }}
--        {{ if .Viewer.ID }}
++        {{ if .CanEditIssueMilestone }}
          <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/milestone">
            <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
            <select name="milestone_id">
          {{ end }}
        </section>
--      {{ if .Viewer.ID }}
++      {{ if .CanLockIssue }}
        <section>
          <h3>Lock</h3>
          <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/issues/{{ .Issue.Number }}/lock">

internal/web/templates/repo/labels.htmlmodified


     </h1>
   </header>
 
+  {{ if .CanManageIssue }}
   <details class="shithub-label-create">
     <summary class="shithub-button shithub-button-primary">New label</summary>
     <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/labels" class="shithub-label-form">

     <li class="shithub-labels-row">
       <span class="shithub-label" style="background-color: #{{ .Color }}">{{ .Name }}</span>
       {{ if .Description }}<span class="shithub-muted">{{ .Description }}</span>{{ end }}
+      {{ if $.CanManageIssue }}
       <details class="shithub-label-edit">
         <summary class="shithub-button">Edit</summary>
         <form method="post" action="/{{ $.Owner }}/{{ $.Repo.Name }}/labels/{{ .ID }}/update" class="shithub-label-form">

internal/web/templates/repo/milestones.htmlmodified


     </h1>
   </header>
 
+  {{ if .CanManageIssue }}
   <details class="shithub-milestone-create">
     <summary class="shithub-button shithub-button-primary">New milestone</summary>
     <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/milestones" class="shithub-milestone-form">

         {{ if .DueOn.Valid }}<small>due {{ .DueOn.Time.Format "Jan 2, 2006" }}</small>{{ end }}
       </h3>
       {{ if .Description }}<p>{{ .Description }}</p>{{ end }}
+      {{ if $.CanManageIssue }}
       <div class="shithub-milestone-actions">
         <form method="post" action="/{{ $.Owner }}/{{ $.Repo.Name }}/milestones/{{ .ID }}/state">
           <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

internal/web/templates/repo/pull_view.htmlmodified

          </section>
          {{ end }}
--        {{ if .Viewer.ID }}
++        {{ if .CanReviewPull }}
          <details class="shithub-pull-request-reviewer">
            <summary class="shithub-button">Request review</summary>
            <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/pulls/{{ .PR.INumber }}/reviewers">
            <p class="shithub-pull-state-{{ printf "%s" .PR.MergeableState }}">
              {{ printf "%s" .PR.MergeableState }}
            </p>
--          {{ if .Viewer.ID }}
++        {{ if or .CanMergePull .CanSetPullState .CanReadyPull }}
++            {{ if .CanMergePull }}
              {{ if eq (printf "%s" .PR.MergeableState) "clean" }}
                <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/pulls/{{ .PR.INumber }}/merge" class="shithub-pull-merge-form">
                  <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
              {{ else }}
                <p class="shithub-muted">Mergeability is being computed…</p>
              {{ end }}
++            {{ end }}
++            {{ if .CanSetPullState }}
              <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/pulls/{{ .PR.INumber }}/state" class="shithub-pull-state-form">
                <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
                <button type="submit" name="state" value="closed" class="shithub-button">Close pull request</button>
              </form>
--            {{ if .PR.Draft }}
++            {{ end }}
++            {{ if and .CanReadyPull .PR.Draft }}
                <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/pulls/{{ .PR.INumber }}/ready">
                  <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
                  <button type="submit" class="shithub-button">Ready for review</button>
                <div class="shithub-comment-body markdown-body">
                  {{ if .C.BodyHtmlCached.Valid }}{{ safeHTML .C.BodyHtmlCached.String }}{{ else }}<p>{{ .C.Body }}</p>{{ end }}
                </div>
--              {{ if $.Viewer.ID }}
++              {{ if $.CanReviewPull }}
                <div class="shithub-pull-thread-actions">
                  <form method="post" action="/{{ $.Owner }}/{{ $.Repo.Name }}/pulls/{{ $.PR.INumber }}/review-comments/{{ .C.ID }}/reply">
                    <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
          {{ end }}
        {{ end }}
--      {{ if .Viewer.ID }}
++      {{ if .CanReviewPull }}
        <details class="shithub-pull-add-comment">
          <summary class="shithub-button">Add inline comment</summary>
          <form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/pulls/{{ .PR.INumber }}/review-comments">

tenseleyflow/shithub / `810896d`

9 changed files

`@@ -8,7 +8,7 @@`
8	</h1>	8	</h1>
9	</header>	9	</header>
10		10
11	- {{ if .Viewer.ID }}	11	+ {{ if .CanManageIssue }}
12	<details class="shithub-label-create">	12	<details class="shithub-label-create">
13	<summary class="shithub-button shithub-button-primary">New label</summary>	13	<summary class="shithub-button shithub-button-primary">New label</summary>
14	<form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/labels" class="shithub-label-form">	14	<form method="post" action="/{{ .Owner }}/{{ .Repo.Name }}/labels" class="shithub-label-form">
`@@ -26,7 +26,7 @@`
26	<li class="shithub-labels-row">	26	<li class="shithub-labels-row">
27	<span class="shithub-label" style="background-color: #{{ .Color }}">{{ .Name }}</span>	27	<span class="shithub-label" style="background-color: #{{ .Color }}">{{ .Name }}</span>
28	{{ if .Description }}<span class="shithub-muted">{{ .Description }}</span>{{ end }}	28	{{ if .Description }}<span class="shithub-muted">{{ .Description }}</span>{{ end }}
29	- {{ if $.Viewer.ID }}	29	+ {{ if $.CanManageIssue }}
30	<details class="shithub-label-edit">	30	<details class="shithub-label-edit">
31	<summary class="shithub-button">Edit</summary>	31	<summary class="shithub-button">Edit</summary>
32	<form method="post" action="/{{ $.Owner }}/{{ $.Repo.Name }}/labels/{{ .ID }}/update" class="shithub-label-form">	32	<form method="post" action="/{{ $.Owner }}/{{ $.Repo.Name }}/labels/{{ .ID }}/update" class="shithub-label-form">